This detection rule identifies the creation of office macro files, specifically file types such as .docm, .dotm, .xlsm, .xltm, .potm, and .pptm, on Windows systems through various applications, including browsers and email clients. The rule is designed to monitor file events in the Windows environment and is particularly focused on detecting scenarios where malicious macro-enabled files may be downloaded or created, potentially leading to initial access for attackers. The detection mechanism employs process image selection to track specific applications known to download such files, while also assessing file names for extensions associated with macros. The rule is currently under testing status and is relevant for security personnel monitoring for signs of macro-based exploitation, which could be part of larger attack patterns associated with initial access vectors. False positives may occur when legitimate macro documents are downloaded from trusted sources.